String Decompilation.. help! - Page 2

rhelgeby · 06-19-2011 , 09:07 Re: String Decompilation.. help!

I just don't get why you need to put secret stuff in the plugin. What is this 'web auth system' actually doing? Maybe we could help with a safer design without worrying about people decompiling it or getting the source.

If you just want to protect proprietary code you can't stop it other than making it more difficult to understand with those fake function calls like mentioned. Pirates will always win if there's enough time.

If you're worried about the auth algorithm being revealed, you should reconsider your design. A secret auth algorithm isn't secure unless you have 100% control of decompilation and distribution of the plugin, which is nearly impossible once it's on the internet.

johnally · 06-19-2011 , 10:28 Re: String Decompilation.. help!

Here I explain:

The plugin will be released to a small around 200(120active) csers community. Plugin is working on a licensed base system! Each hoster has a license to run plugin. For license to be validated, they need to be logged in on the site.

Plugin's Main objective is to combine steamID and user management system of the website. I guess for some of you it is a deja-vu! I'm doing this plugin to enrich my overall programming knowledge and as a request from admin of website.

I must admit, the model is NOT one of the best but at least won most the tests(delay, cpu usage, etc etc).

But as soon as we(moderators) advertised the release of the plugin, there was sure a haul of excitement but some were very septic and wanted to show their so-called "hacking/cracking" knowledge by bringing the project in pieces.

So before any release, I strongly wish to know if making them have a hard time is possible. I do keep in mind amxmodx is under GPL but that the only way, I found to program with control over cs environment. So if some here remove support (not open-source), I'll understand!

Anyway, the community I'm speaking about is dying in the few months to come! If there is a chance to slap it to back how it was 7-10 years before(cs 1.5), I guess I'll sacrifice my time and self to keep it alive.

Sorry for weird English,

Exolent[jNr] · 06-19-2011 , 12:25 Re: String Decompilation.. help!

So, to get your plugin they have to sign up for your website?

johnally · 06-19-2011 , 12:45 Re: String Decompilation.. help!

Yes they have to be a member on the site!

rhelgeby · *Last edited by rhelgeby; 06-19-2011 at 12:51.*

Seems so.

If I'm not wrong, the plugin has some sort of activation on a central server (the web site). Something similar to Windows activation, just activated every time the plugin is loaded.

We know that pirates beat this system no matter how difficult developers try to make it. This is because the code that tells whether it should be enabled or not is in the client (plugin) and will always be readable for those who are good at assembly languages.

The question is; why does the code need to be in the plugin (the 'combine steamID and user management system' stuff)?

If it's important to keep this stuff secret, why not develop a remote API on the site (PHP scripts or something)? Then the client (plugin) could log in to that server and call remote functions. Obviously this would need encrypted connections.

I'm not sure if this is possible for you since I don't know what 'combine steamID and user management system' really means. User management sounds like a job for the server (web site) and not a plugin. The plugin would just be a client to ask the server about certain users, or call remote commands.

Exolent[jNr] · 06-19-2011 , 12:54 Re: String Decompilation.. help!

I think the best way would be for the client to have their SteamID + server IP on your website.
Then the plugin would make a request to the site with the given SteamID and the server's IP.
You can even let them make their own password and include it with the information if the IP or something was ever duplicated.
Then the webserver would take that information and give a response to the gameserver telling the plugin whether or not it is allowed to work.

johnally · *Last edited by johnally; 06-19-2011 at 13:12.*

@rhelgeby
@Exolent[jNr]
I already did as you both are saying. The webserver has most of the functions and the plugin just use GET on the required php file to query the DB. However, I can't get the connection encrypted.

My license system, checks that the hoster has the correct license key and for that license key, is logged in on the website.

I got a question however, CAN the plugin be decompiled, modified and recompiled? I could decompile it but getting it back to amxx is hard!

Most of my transactions happens on the webserver:
- Get the cs server's ip address(behind router)
- Check License
- Check if plugin was modified
- Automated add/(manual remove) to LGSL
- Main Authentication system on client_putinserver..

I was coding the "cfg get" function. It would retrieve the strings from the webserver.

However, My socket is pretty 'nake'.. but that's another issue!

Also, I was thinking about using a dispatcher to dispatch all the function calls(as seen in most ASA techniques)

P.S: combine steamID with the user management system is simple..
steamID = Username

This will be probably my last contribution to the community there. Cheers,

rhelgeby · 06-19-2011 , 15:30 Re: String Decompilation.. help!

To modify a compiled plugin you wouldn't need to restore full source code. Modifying by manually modifying the bytecode would be enough, but only hard core programmers would do that. It's not impossible.

johnally · 06-19-2011 , 15:50 Re: String Decompilation.. help!

@rhelgeby

lol.. then I guess my plugin might be safe if kept in the community there

Thanks for answer.. I can take a break now(want a kit-kat?)